Anton Chuvakin and I just finished some exciting new research on security monitoring: “Selecting Security Monitoring Approaches by Using the Attack Chain Model” [subscription required], in which we provide advice on how to pick security monitoring solution types an organization should be using. It was definitely a challenge, because making “use X, Y, and Z […]

In the recent month I’ve done both a Security Summit talk and a webinar about application security. The gist of the presentations – at least what I wanted customers to take away – is that we can’t sell application security to developers and architects by perpetuating the train-test-fix cycle of pain. It feels, though, like […]

I have encryption on my mind again a lot lately. It certainly has something to do with work in progress for presentations I’m giving at our Catalyst 2012 conference (“Protecting Data in the Public Cloud: Encryption, Obfuscation, or Snake Oil?” and “Scenarios: Encryption, Tokenization, Anonymization, or None of the Above”). But it’s also because I’m […]

Every time a hashed password store gets compromised, people come out of the woodwork and yell things like “They used SHA-1/MD5/DES? OMG that’s so stupid because SHA-1/MD5/DES is broken!” The LinkedIn password breach is no exception. It’s true that they’re no longer good general-purpose hash functions … except that for the purpose of password hashing […]

This is a sister post to Anton Chuvakin’s “Our SIEM Futures Paper Publishes!” from yesterday. We collaborated on a “Security Information and Event Management Futures” note [subscription required], in which we discuss how we believe the technology will evolve in response to current and expected trends. Although Anton is now the primary GTP analyst to […]

A well-known security meme is that “encryption is easy, it’s key management that’s hard.” But while this may be true for certain encryption use cases, it’s most definitely not true across the board. It’s a convenient meme for vendors, of course, who’ll simply point at a “we use AES” or “we’re FIPS 140-2 validated” statement […]

In our recent customer-facing research project on mobile application development, security was a smaller but important consideration for many participants. When I read through a recent “this is what developing for Android looks like” blog post on the effects of Android fragmentation, I got inspired to write a quick piece on the platform. The open […]

It doesn’t take a clairvoyant – or in this case, an research analyst – to see that “big data” is becoming (if it isn’t already, perhaps) a major buzzword in security circles. Not only big data as applied to security, but also security for big data. But what does “securing big data” actually mean? Not […]

We’ve just finished parsing 1.5K data points in a customer-facing research project on mobile applications. We spoke mostly with development team members, but also had a few architects and other functions represented (we even had a person from a marketing team in the mix). The data is very rich, and we’ve spent considerable time deriving […]

We’re always trying to get closer to developing more useful security metrics, and examining analogies provides a way to relate these measurements and metrics to things we already know (and that we perceive as being done and measured well). I like good analogies, but I don’t want to be limited by not-so-good ones. “Flying an […]